NIST eyes removing flawed Dual_EC_DRBG alogrithm from guidelines

Share this article:
Researchers uncover NSA tool, enables faster cracking of flawed RSA algorithm
NIST is looking to remove the flawed Dual_EC_DRBG algorithm from its guidelines.

The National Institute of Standards and Technology (NIST) is seeking to update its guidelines by removing a flawed, community-developed algorithm believed to contain a backdoor.

NIST announced on Monday that it had revised its document, “Recommendation for Random Number Generation Using Deterministic Random Bit Generators,” to exclude the questionable Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) algorithm.

“NIST is removing the algorithm based on our own evaluation and the lack of public confidence in the algorithm,” Jennifer Huergo, a NIST spokesperson, told SCMagazine.com in a Tuesday email correspondence.

Huergo linked to a revision summary, posted on Monday, which explains how Dual_EC_DRBG is perceived by the public to contain a backdoor. This backdoor could result in attackers predicting secret cryptographic keys, according to the summary.

The revised document, known as SP 800-90A, has only just been opened for public comments, so there has not yet been much of a community response, Huergo said. Commenters have until May 23 to voice their opinions on the update, according to a Monday NIST release.

NIST is urging all users not to wait for further revisions and to quickly begin shifting to one of the other algorithms still supported in the revised document, which include the Hash_DRBG, HMAC_DRBG, and CTR_DRBG algorithms.

In September 2013, NIST advised against using Dual_EC_DRBG due to a possible backdoor. Shortly after, RSA, which used the algorithm in all its BSAFE Toolkits, recommended shifting to one of the different algorithms built into the BSAFE Toolkit.

In December 2013, reports suggested that RSA entered into a $10 million secret agreement with the National Security Agency (NSA) to continue using the flawed algorithm in its products, but RSA quickly denied the allegations.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.